Tech
ICO publishes summary of police facial recognition audit | Computer Weekly
The Information Commissioner’s Office (ICO) has completed its first-ever data protection audit of UK police forces deploying facial recognition technologies (FRT), noting it is “encouraged” by its findings.
The ICO’s audit, which investigated how South Wales Police and Gwent Police are using and protecting people’s personal information when deploying facial recognition, marks the first time the data regulator has formally audited a UK police force for its use of the technology.
According to an executive summary published on 20 August, the scope of the facial recognition audit – which was agreed with the two police forces beforehand – focused on questions of necessity and proportionality (a key legal test for the deployment of new technologies), whether its design meets expectations around fairness and accuracy, and whether “the end-to-end process” is compliant with the UK’s data protection rules.
“We are encouraged by the findings, which provide a high level of assurance that the processes and procedures currently in place at South Wales Police and Gwent Police are compliant with data protection law,” said the deputy commissioner for regulatory policy, Emily Keaney, in a blog post.
“The forces made sure there was human oversight from trained staff to mitigate the risk of discrimination and ensure no decisions are solely automated, and a formal application process to assess the necessity and proportionality before each LFR deployment,” she wrote.
The executive summary added that South Wales Police and Gwent Police have “comprehensively mapped” their data flows, can “demonstrate the lawful provenance” of the images used to generate biometric templates, and have appropriate data protection impact assessments (DPIAs) in place.
It further added that the data collected “is adequate, relevant and limited to what is necessary for its purpose”, and that individuals are informed about its use “in a clear and accessible manner”.
However, Keaney was clear that the audit only “serves as a snapshot in time” of how the technology is being used by the two police forces in question. “It does not give the green light to all police forces, but those wishing to deploy FRT can learn from the areas of assurance and areas for improvement revealed by the audit summary,” she said.
Commenting on the audit, chief superintendent Tim Morgan of the joint South Wales and Gwent digital services department, said: “The level of oversight and independent scrutiny of facial recognition technology means that we are now in a stronger position than ever before to be able to demonstrate to the communities of South Wales and Gwent that our use of the technology is fair, legitimate, ethical and proportionate.
“We welcome the work of the Information Commissioner’s Office audit, which provides us with independent assurance of the extent to which both forces are complying with data protection legislation.”
He added: “It is important to remember that use of this has never resulted in a wrongful arrest in South Wales and there have been no false alerts for several years as the technology and our understanding has evolved.”
Lack of detail
While the ICO provided a number of recommendations to the police forces, it did not provide any specifics in the executive summary beyond the priority level of the recommendation and whether it applied to the forces’ use of live or retrospective facial recognition (LFR or RFR).
For LFR, it said it made four “medium” and one “low” priority recommendations, while for RFR, it said it made six “medium” and four “low” priority recommendations. For each, it listed one “high” priority recommendation.
Computer Weekly contacted the ICO for more information about the recommendations, but received no response on this point.
Although the summary lists some “key areas for improvement” around data retention policies and the need to periodically review various internal procedures, key questions about the deployments are left unanswered by the ICO’s published material on the audit.
For example, before they can deploy any facial recognition technology, UK police forces must ensure their deployments are “authorised by law”, that the consequent interference with rights – such as the right to privacy – is undertaken for a legally “recognised” or “legitimate” aim, and that this interference is both necessary and proportionate. This must be assessed for each individual deployment of the tech.
However, beyond noting that processes are in place, no detail was provided by the ICO on how the police forces are assessing the necessity and proportionality of their deployments, or how these are assessed in the context of watchlist creation.
Although more detail on proportionality and necessity considerations is provided in South Wales Police’s LFR DPIA, it is unclear if any of the ICO’s recommendations concern this process.
While police forces using facial recognition have long maintained that their deployments are intelligence-led and focus exclusively on locating individuals wanted for serious crimes, senior officers from the Metropolitan Police and South Wales Police previously admitted to a Lords committee in December 2023 that both forces select images for their watchlists based on crime categories attached to people’s photos, rather than a context-specific assessment of the threat presented by a given individual.
Computer Weekly asked the ICO whether it is able to confirm if this is still the process for selecting watchlist images at South Wales Police, as well as details on how well police are assessing the proportionality and necessity of their deployments generally, but received no response on these points.
While the ICO summary claims the forces are able to demonstrate the “lawful provenance” of watchlist images, the regulator similarly did not respond to Computer Weekly’s questions about what processes are in place to ensure that the millions of unlawfully held custody images in the Police National Database (PND) are not included in facial recognition watchlists.
Computer Weekly also asked why the ICO is only beginning to audit police facial recognition use now, given that it was first deployed by the Met in August 2016 and has been controversial since its inception.
“The ICO has played an active role in the regulation of FRT since its first use by the Met and South Wales Police around 10 years ago. We investigated the use of FRT by the Met and South Wales and Gwent police and produced an accompanying opinion in 2021. We intervened in the Bridges case on the side of the claimant. We have produced follow-up guidance on our expectations of police forces,” said an ICO spokesperson.
“We are stepping up our supervision of AI [artificial intelligence] and biometric technologies – our new strategy includes a specific focus on the use of FRT by police forces. We are conducting an FRT in Policing project under our AI and biometrics strategy. Audits form a core part of this project, which aims to create clear regulatory expectations and scalable good practice that will influence the wider AI and biometrics landscape.
“Our recommendations in a given audit are context-specific, but any findings that have applicability to other police forces will be included in our Outcomes Report due in spring 2026, once we have completed the rest of the audits in this series.”
EHRC joins judicial review
In mid-August 2025, the Equality and Human Rights Commission (EHRC) was granted permission to intervene in an upcoming judicial review of the Met Police’s use of LFR technology, which it claims is being deployed unlawfully.
“The law is clear: everyone has the right to privacy, to freedom of expression and to freedom of assembly. These rights are vital for any democratic society,” said EHRC chief executive John Kirkpatrick.
“As such, there must be clear rules which guarantee that live facial recognition technology is used only where necessary, proportionate and constrained by appropriate safeguards. We believe that the Metropolitan Police’s current policy falls short of this standard.”
He added: “The Met, and other forces using this technology, need to ensure they deploy it in ways which are consistent with the law and with human rights.”
Writing in a blog about the EHRC joining the judicial review, Chris Pounder, director of data protection training firm Amberhawk, said that, in his view, the statement from Kirkpatrick is “precisely the kind of statement that should have been made by” information commissioner John Edwards.
“In addition, the ICO has stressed the need for FRT deployment ‘with appropriate safeguards in place’. If he [Edwards] joined the judicial review process as an interested party, he could get judicial approval for these much vaunted safeguards (which nobody has seen),” he wrote.
“Instead, the ICO sits on the fence whilst others determine whether or not current FRT processing by the Met Police is ‘strictly necessary’ for its law enforcement functions. The home secretary, for her part, has promised a code of practice which will contain an inevitable bias in favour of the deployment of FRT.”
In an appearance before the Lords Justice and Home Affairs Committee on 8 July, home secretary Yvette Cooper confirmed the government is actively working with police forces and unspecified “stakeholders” to draw up a new governance framework for police facial recognition.
However, she did not comment on whether any new framework would be placed on a statutory footing.
Australia’s utility sector accounts for some 43.1% of the country’s carbon footprint, and some 37.2% of its direct emissions, new research from Edith Cowan University (ECU) has revealed.
Dr. Soheil Kazemian, from the ECU School of Business and Law, said the utilities sector included electricity generation, transmission and distribution, gas supply, water supply and waste collection and treatment.
Electricity generation and transmission were identified as the most significant contributors within the utilities sector, with commercial services and manufacturing emerging as substantial sources of embodied emissions within the sector.
The research, published in the Management of Environmental Quality: An International Journal, revealed that 71% of embodied emissions were attributed to electricity transmission, distribution, on-selling electricity, and electricity market operation. Electricity generation accounted for a further 15%, while gas supply accounted for 5%, water supply for 4%, and waste services and treatment for the remaining 5% of embodied emissions in the sector.
“The study highlights electricity transmission and generation as the subsectors with the highest potential for adopting low-carbon technologies. By pinpointing emission hotspots and offering detailed sectoral disaggregation, the results of the research provide actionable insights for prioritizing investment in emissions reduction strategies, advancing Australia’s sustainability goals and supporting global climate change mitigation,” Dr. Kazemian said.
He said that as with any other business, the pressure to reduce the carbon emissions footprint of the utility sector would need to originate from the consumer sector.
Unlike other sectors, however, increased investment into the utilities sector is likely to result in a smaller carbon footprint.
“This is a major difference between the different sectors in Australia. If you invest more in mining, that means the carbon footprint from that industry would increase, and the same can be said for manufacturing as the investment would result in expanded business.
“While new infrastructure development can generate temporary increases in emissions for the utility sector during construction, the long-term impact depends on where those dollars are spent. Investment in renewable energy systems or efficient delivery networks can significantly cut emissions, whereas continuing to fund carbon-intensive energy sources risks locking in higher emissions for decades to come.
“This complexity highlights a critical point that meaningful decarbonization will depend not only on policy or technology, but also on consumer choices. When households and businesses demand cleaner energy, utilities are more likely to channel investment into low-carbon solutions. By consciously choosing renewable energy options and supporting sustainable providers, consumers can send a powerful market signal that accelerates the transition to a cleaner grid,” Dr. Kazemian said.
More information:
Soheil Kazemian et al, Determining the carbon footprint of Australia’s electricity, gas, water and waste services sector, Management of Environmental Quality: An International Journal (2025). DOI: 10.1108/meq-07-2024-0311
Citation:
Carbon opportunities highlighted in Australia’s utilities sector (2025, October 15)
retrieved 15 October 2025
from https://techxplore.com/news/2025-10-carbon-opportunities-highlighted-australia-sector.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no
part may be reproduced without the written permission. The content is provided for information purposes only.
While the AI genie is out of the bottle for organisations for all sizes, only 13% of businesses are fully prepared for it, with those ready as much as four times more likely to move pilots into production and 50% more likely to see measurable value, according to a study by Cisco.
The data comes from the Cisco AI readiness index 2025, a global study, now in its third year, based on a double-blind survey of 8,000 senior IT and business leaders responsible for AI strategy at organisations with more than 500 employees across 26 industries across 30 markets.
Cisco added that the combination of foresight and foundation is delivering real, tangible results at a time when two major forces are starting to reshape the landscape: AI agents, which raise the bar for scale, security and governance; and AI infrastructure debt, the early warning signs of hidden bottlenecks that threaten to erode long-term value.
Regarding AI agents, the survey found ambition was outpacing readiness. Overall, 83% of organisations planned to deploy AI agents, and nearly 40% expected them to work alongside employees within a year. But the study discovered that, for majority of these companies, AI agents were exposing weak foundations – that is, systems that can barely handle reactive, task-based AI, let alone AI systems that act autonomously and learn continuously. More than half (54%) of respondents said their networks can’t scale for complexity or data volume and just 15% describe their networks as flexible or adaptable.
AI infrastructure debt was called the modern evolution of technical and digital debt that once held back digital transformation. Moreover, the survey regarded it as “the silent accumulation of compromises, deferred upgrades, and underfunded architecture that erodes the value of AI over time”. Some 62% of firms expect workloads to rise by over 30% within three years, 64% struggle to centralise data, only 26% said that they have robust GPU capacity and fewer than one in three could detect or prevent AI-specific threats.
Among the topline results from the report were that “small but consistent” group of companies surveyed – falling into the category of pacesetters, and making up about 13% of organisations for the past three years – were outperforming their peers across every measure of AI value.
Cisco noted that the pacesetters’ sustained advantage indicated a new form of resilience: a disciplined, system-level approach that balances strategic drivers with the data and network infrastructure needed to keep pace with AI’s accelerating evolution. It added that such firms were already architecting for the future, with 98% designing their networks for the growth, scale and complexity of AI, compared with 46% overall.
The research outlined a pattern among companies delivering real returns: they make AI part of the business, not a side project; they build infrastructure that’s ready to grow; they move pilots into production; they measure what matters; and they turn security into strength.
Virtually all pacesetters (99%) were found to have a defined AI roadmap (vs 58% overall), and 91% (vs 35%) had a change-management plan. Budgets match intent, with 79% making AI the top investment priority (vs 24%), and 96% with short- and long-term funding strategies (vs 43%). The study noted that such firms architect for the always-on AI era. Some 71% of pacesetters said that their networks were fully flexible and can scale instantly for any AI project (vs 15% overall), and 77% are investing in new datacentre capacity within the next 12 months (vs 43%).
Just over three-fifths had what was defined as a “mature, repeatable” innovation process for generating and scaling AI use cases (versus 13% overall), and three-quarters (77%) had already finalised those use cases (versus 18%). Some 95% track the impact of their AI investments – three times higher than others – and 71% were confident their use cases will generate new revenue streams, more than double the overall average. Meanwhile, 87% were highly aware of AI-specific threats (versus 42% overall), 62% integrated AI into their security and identity systems (versus 29%), and 75% were fully equipped to control and secure AI agents (versus 31%).
The result of this approach, said Cisco, was that pacesetters achieve more widespread results than their peers because of this approach, with 90% reporting gains in profitability, productivity and innovation, compared with around 60% overall.
Commenting on the results from the survey, Cisco president and chief product officer Jeetu Patel stated that the AI readiness index makes one thing clear: AI doesn’t fail – readiness fails, adding: “The most AI-ready organisations – the pacesetters from our research – prove it. They’re four times more likely to move pilots into production and 50% more likely to realise measurable value. So, with more than 80% of organisations we surveyed about to deploy AI agents, these new findings confirm readiness, discipline and action are key to unlocking value.”
The day Microsoft officially ended support for Windows 10 has coincided with a Patch Tuesday update, with several zero-day flaws that attackers could exploit to target the older Windows operating system.
Among these is CVE-2025-24990, which covers a legacy device driver that Microsoft has removed entirely from Windows. “The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) shows the security risks of maintaining legacy components within modern operating systems,” warned Ben McCarthy, lead cyber security engineer at Immersive.
“This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years,” he said. “Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access.”
McCarthy said threat actors are using this vulnerability as a second stage for their operations. “The attack chain typically begins with the actor gaining an initial foothold on a target system through common methods like a phishing campaign, credential theft, or by exploiting a different vulnerability in a public-facing application,” he said.
McCarthy added that Microsoft’s decision to remove the driver entirely, rather than issue a patch, is a direct response to the risks associated with modifying unsupported, third-party legacy code. “Attempts to patch such a component can be unreliable, potentially introducing system instability or failing to address the root cause of the vulnerability completely,” he said.
In removing the driver from the Windows operating system, McCarthy said Microsoft has prioritised reducing the attack surface over absolute backward compatibility. “By removing the vulnerable and obsolete component, the potential for this specific exploit is zero,” he said. “The security risk presented by the driver was determined to be greater than the requirement to continue supporting the outdated hardware it serves.”
McCarthy said this approach demonstrates that an effective security strategy must include the lifecycle management of old code, where removal is often more definitive and secure than patching.
Another zero-day flaw that is being patched concerns the Trusted Platform Module from the Trusted Computing Group (TCG). Adam Barnett, lead software engineer at Rapid7, noted that the CVE-2025-2884 flaw concerns TPM 2.0 reference implementation, which, under normal circumstances, is likely to be replicated in the downstream implementation by each manufacturer.
“Microsoft is treating this as a zero-day despite the curious circumstance that Microsoft is a founder member of TCG, and thus presumably privy to the discovery before its publication,” he said. “Windows 11 and newer versions of Windows Server receive patches. In place of patches, admins for older Windows products such as Windows 10 and Server 2019 receive another implicit reminder that Microsoft would strongly prefer that everyone upgrade.”
One of the patches classified as “critical” has such a profound impact that some security experts advise IT departments to patch immediately. McCarthy warned that the CVE-2025-49708 critical vulnerability in the Microsoft Graphics Component, although classed as an “elevation of privilege” security issue, has a severe real-world impact.
“It is a full virtual machine [VM] escape,” he said. “This flaw, with a CVSS score of 9.9, completely shatters the security boundary between a guest virtual machine and its host operating system.”
McCarthy urged organisations to prioritise patching this vulnerability because it invalidates the core security promise of virtualisation.
“A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with system privileges directly on the underlying host server,” he said. “This failure of isolation means the attacker can then access, manipulate or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases or production applications.”
T.J. Holmes, Amy Robach planning ‘intimate’ wedding post engagement: Source
Turkiye’s home textile exports dip in Jan-Aug amid weaker EU demand
Kendra Scott expands into Western wear with new boot collection
-
Business1 week agoTata Capital IPO: Rs 15,512 crore IPO fully subscribed; stock market debut on Oct 13 – The Times of India
-
Tech6 days agoApple Took Down ICE-Tracking Apps. Their Developers Aren’t Giving Up
-
Tech1 week agoJony Ive Says He Wants His OpenAI Devices to ‘Make Us Happy’
-
Tech5 days agoMen Are Betting on WNBA Players’ Menstrual Cycles
-
Entertainment1 week agoHilaria Badlwin admits she takes parenting tips from step-daughter Ireland Baldwin
-
Sports1 week agoBills benched WR Coleman for disciplinary reasons
-
Sports1 week agoSouth Africa begin World Test Championship title defence with target on their back – SUCH TV
-
Sports1 week agoCubs vs. Brewers (Oct 6, 2025) Live Score – ESPN